[c-nsp] NAT/ACL options in a PIX

John Ramz sforcejr at yahoo.com
Wed Aug 27 08:20:22 EDT 2008



Vinny,


#thanks for the reply. So, host 5.6.7.8 wants to access that internal #host. would the access list to complete it look like this:?

access-list ACL_NAME permit TCP host 5.6.7.8 host 10.10.10.110 eq 8081


#Now if I get another request a to access different host (10.10.10.111). #could I reuse the same ip address (1.2.3.4) and do this:?

static (inside,outside) tcp 1.2.3.4 8080 10.10.10.111 8081 netmask 255.255.255.255 0 0
access-list ACL_NAME permit TCP host 9.10.11.12 host 10.10.10.111 eq 8081


ONE MORE QUESTION,.....
Since I am doing NAT 1 to 1 , I already allowed 1 external host to access an internal host(10.10.10.110) on port 8080
 
How can I allow another external hosts(different IP address) to access the same internal host (10.10.10.110) on port 8080? 

Hopefullly you can understand this last question

Thanks




--- On Tue, 8/26/08, Vinny Abello <vinny at tellurian.com> wrote:

> From: Vinny Abello <vinny at tellurian.com>
> Subject: RE: [c-nsp] NAT/ACL options  in a PIX
> To: "sforcejr at yahoo.com" <sforcejr at yahoo.com>, "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Date: Tuesday, August 26, 2008, 10:23 PM
> Correct, you are doing NAT as a straight 1 to 1 translation
> for traffic. Using PAT, you can specify either TCP or UDP
> traffic and the outside and inside port numbers. This is
> still accomplished with the static statement. You'll
> still need the access-list entry as well unless you have
> another rule already covering it.
> 
> I'm confused though... If you need a different external
> host to access an internal server, why can't use reuse
> the same outside address in the translation? The PIX does
> extended translation automatically. Just add it to the
> access-list, or did I misunderstand?
> 
> If you are doing this on a different port and want to map
> various ports on one external IP to different internal hosts
> or ports, you can do this as well with the static statement:
> 
> static (inside,outside) tcp 1.2.3.4 8080 10.10.10.110 8081
> netmask 255.255.255.255 0 0
> 
> This maps traffic that matches TCP port 8080 hitting the
> outside address of 1.2.3.4 to port 8081 on internal IP
> 10.10.10.110.
> 
> I wasn't quite clear with your alphanumeric examples,
> but I hope this helps. I believe you truly just want to keep
> adding more entries to your access-list. Once you have a
> translation be it NAT or PAT defined, the access control is
> done through the access-list at that point.
> 
> -Vinny
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of John Ramz
> > Sent: Tuesday, August 26, 2008 10:32 PM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] NAT/ACL options in a PIX
> >
> > --CORRECTION---
> >
> > As a part of my 2nd question I made a mistake on the
> internal host IP.
> > This is the correction:
> >
> > I need to allow P.P.P.3 to access the same internal
> host
> > (10.10.10.110). I tried to assigned a different Public
> ip
> > address(Q.Q.Q.11)...........
> >
> >
> > Thanks
> >
> >
> >
> > --- On Tue, 8/26/08, John Ramz
> <sforcejr at yahoo.com> wrote:
> >
> > > From: John Ramz <sforcejr at yahoo.com>
> > > Subject: NAT/ACL options  in a PIX
> > > To: cisco-nsp at puck.nether.net
> > > Date: Tuesday, August 26, 2008, 9:21 PM
> > > Version 6.3.5
> > > PIX 515
> > >
> > > We have been assigned 25 Public IP addresses by
> our ISP and
> > > I want to administer them in the most efficient
> way.
> > >
> > > We get a lot of requests for external access to
> different
> > > hosts in our private network. For example:
> > >
> > > Public trusted IP address requesting access:
> P.P.P.2
> > > Public IP address assigned by ISP: Q.Q.Q.10
> > > Internal host IP: 10.10.10.111
> > > port 80 or 8080 (http://10.10.10.111/site:8080
> > >
> > > So far every time we get a request we do this:
> > >
> > > static (inside,outside) Q.Q.Q.10 10.10.10.111
> netmask
> > > 255.255.255.255 0 0
> > > access-list ACL_NAME permit tcp host P.P.P.2 host
> Q.Q.Q.10
> > > eq 8080
> > >
> > > QUESTION
> > > 1- Is it possible to do what I believe is called
> PAT and
> > > reuse the same public ip address(Q.Q.Q.10) when I
> get a
> > > second request to access a DIFFERENT
> host(10.10.10.112) and
> > > redirect them to port 8081 for example? If
> possible, how?
> > >
> > >
> > >
> > > Today I got a request to allow access to an
> internal
> > > host(10.10.10.110) that I have already mapped
> with this
> > > public IP: Q.Q.Q.9 . The source ip address is:
> P.P.P.3 .
> > > These are the statements already in the PIX:
> > >
> > > static (inside,outside) Q.Q.Q.9 10.10.10.110
> netmask
> > > 255.255.255.255 0 0
> > > access-list ACL_NAME permit tcp host P.P.P.1 host
> Q.Q.Q.9
> > > eq 8080
> > >
> > > I need to allow P.P.P.3 to access the same
> internal host
> > > (Q.Q.Q.9). I tried to assigned a different Public
> ip
> > > address(Q.Q.Q.11) but I got this message:
> > >
> > > ERROR: duplicate of existing static
> > >
> > > QUESTION
> > > 2- Is there anyway to allow 2 IP addresses to
> access the
> > > same host on the same port-it could be
> different-?
> > >
> > > I appreciate any help since I am a beginner on
> this subject
> > >
> > >
> > > Thanks
> > >
> > > John
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/


      


More information about the cisco-nsp mailing list